Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Need help with VLAN/Access List/RDP

Have an attorneys office that needs to connect via PPTP to a VPN and then RDP into a desktop to access files.

PPTP setup and working on Pix 515e. Can connect fine. When client then tries to RDP into the machine they cannot connect.

Cisco 3560 switch with VLANs configured is where I think the problem lies but can't pinpoint the issue. Clerks office is on VLAN8 with the following ACL assigned to it:

access-list 108 permit icmp any any

access-list 108 permit tcp host 10.10.0.70 any

access-list 108 permit tcp host 10.10.0.71 any

access-list 108 permit ip 10.70.0.0 0.0.255.255 any

access-list 108 permit ip 10.250.0.0 0.0.0.255 any

access-list 108 permit ip 10.254.0.0 0.0.0.255 any

access-list 108 permit tcp 10.10.0.0 0.0.255.255 any eq www

access-list 108 deny ip 172.16.1.0 0.0.0.255 any

access-list 108 deny ip 10.0.0.0 0.255.255.255 any

access-list 108 permit ip any any

When I connect via the PPTP VPN I have an IP address of 10.10.0.241. I added a line to permit any from 10.10.0.0 0.0.255.255 but that didn't allow it either so I removed it.

I have tried every command I can think of to get this to work but nothing has worked.

Any help would be appreciated.

16 REPLIES
Hall of Fame Super Bronze

Re: Need help with VLAN/Access List/RDP

Can you post the updated ACL with the new line for 10.10.0.0?

__

Edison.

New Member

Re: Need help with VLAN/Access List/RDP

access-list 108 permit icmp any any

access-list 108 permit ip 10.10.0.0 0.0.255.255 any

access-list 108 permit tcp 10.10.0.0 0.0.255.255 any

access-list 108 permit tcp host 10.10.0.70 any

access-list 108 permit tcp host 10.10.0.71 any

access-list 108 permit ip 10.70.0.0 0.0.255.255 any

access-list 108 permit ip 10.250.0.0 0.0.0.255 any

access-list 108 permit ip 10.254.0.0 0.0.0.255 any

access-list 108 permit tcp 10.10.0.0 0.0.255.255 any eq www

access-list 108 deny ip 172.16.1.0 0.0.0.255 any

access-list 108 deny ip 10.0.0.0 0.255.255.255 any

access-list 108 permit ip any any

I did IP and TCP just in case but still was unable to connect.

Hall of Fame Super Bronze

Re: Need help with VLAN/Access List/RDP

Can you ping the intended device? If so, it can be a RDP application issue.

__

Edison.

New Member

Re: Need help with VLAN/Access List/RDP

Am able to ping device no problem. Can also RDP to it from server at IP 10.250.0.3.

Hall of Fame Super Bronze

Re: Need help with VLAN/Access List/RDP

Are you saying you can RDP from the PPTP connection to server 10.250.0.3?

Or you can RDP from server 10.250.0.3 to a workstation?

If so, the situation is a lot different. RDP can be sensitive to latency on the PPTP connection.

__

Edison.

New Member

Re: Need help with VLAN/Access List/RDP

I connect to PPTP connection and can then RDP to server at 10.250.0.3. From there I can RDP to the PC at 10.70.0.61.

Just connected to PPTP connection I cannot RDP to 10.70.0.61 PC.

Hall of Fame Super Bronze

Re: Need help with VLAN/Access List/RDP

The ACL on Vlan8 is an inbound or outbound ACL?

If you remove the ACL, are you able to RDP to devices on the Vlan?

__

Edison.

New Member

Re: Need help with VLAN/Access List/RDP

Says ip access-group 108 out.

I've not tried removing it for fear I would break something else on their network they are using or needing.

Hall of Fame Super Bronze

Re: Need help with VLAN/Access List/RDP

Then, your ACE should be

access-list 108 permit ip any 10.10.0.0 0.0.255.255

__

Edison.

New Member

Re: Need help with VLAN/Access List/RDP

does it make a difference where that line goes, as long as it's before the deny statements?

Hall of Fame Super Bronze

Re: Need help with VLAN/Access List/RDP

This ACE is blocking any connection from 10/8 out of that Vlan.

access-list 108 deny ip 10.0.0.0 0.255.255.255 any

You need to implement before the ACE above either

access-list 108 permit ip any 10.10.0.0 0.0.255.255

or

access-list 108 permit ip 10.0.0.0 0.255.255.255 10.10.0.0 0.0.255.255

as the ACL direction is egress, not ingress.

On ingress, the ACEs you had

access-list 108 permit ip 10.10.0.0 0.0.255.255 any

access-list 108 permit tcp 10.10.0.0 0.0.255.255 any

would've worked.

New Member

Re: Need help with VLAN/Access List/RDP

Now looks like this:

access-list 108 permit icmp any any

access-list 108 permit tcp host 10.10.0.70 any

access-list 108 permit tcp host 10.10.0.71 any

access-list 108 permit ip 10.70.0.0 0.0.255.255 any

access-list 108 permit ip 10.250.0.0 0.0.0.255 any

access-list 108 permit ip 10.254.0.0 0.0.0.255 any

access-list 108 permit tcp 10.10.0.0 0.0.255.255 any eq www

access-list 108 permit ip 10.0.0.0 0.255.255.255 10.10.0.0 0.0.255.255

access-list 108 deny ip 172.16.1.0 0.0.0.255 any

access-list 108 deny ip 10.0.0.0 0.255.255.255 any

access-list 108 permit ip any any

Tried to RDP to 10.70.0.61 again and still nothing.

Hall of Fame Super Bronze

Re: Need help with VLAN/Access List/RDP

It makes no sense why is not working with this ACE

access-list 108 permit ip 10.70.0.0 0.0.255.255 any

unless there is something else missing.

__

Edison.

New Member

Re: Need help with VLAN/Access List/RDP

There shouldn't be anything on the Pix that's blocking this should there? I wouldn't think so but just checking.

This is why I was stumped as well. I tried to allow everything possible and still couldn't connect.

Hall of Fame Super Bronze

Re: Need help with VLAN/Access List/RDP

There shouldn't be anything on the Pix that's blocking this should there?

We don't know the PIX config. For PIX assistance, please repost in the firewall section of these forums.

__

Edison.

New Member

Re: Need help with VLAN/Access List/RDP

If I can connect to PPTP through the Pix though, that should be about all that I need from there correct? I can't think of and don't see any rules that would block access. Just wanted to check that though.

1270
Views
0
Helpful
16
Replies